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(S7) Abstract: A eyitem end method for topology oonstndnod nmting policy prorlsloning between e phsnHty of iltcs in a Viriwl 
Private Network (VPN) is disolcsed. The method cemprliea amibliiig gisphifiadly defining of r^etkmflldpB betWMo the plurality of 
sltei of the VPN: end aatomstiGBUy geBaxaiing at least onerombtt nile each lite of the VP^7 based at least in pen on tbe deBned 
lelationeUpL 
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SYSTEM AND METHOD FOR TOPOLOGY 
CONSTRAINED HOUIING POLICY PROVISIOMNG 

TR^TfTI^AT. FTPJ n OF rm INVgNTIPN 

Ittf proseot mvMtion mlsties getMrally to fhc field of tdeoonuQuaioatioiui end more pardculady 
to a vyitntn and metliod for topology oonBtrainodioutixigpoliGy provisioning. 

BAfgGR^QTJiroaPTmiNVHNTK^ 

& is 8 udiqw eufpeot of a Vixtual FAvm Network (VFN) Ifaat only oetMn sites ate allowod to 
eicohange paokefB with ono aoothor. Ebdetbg pnmrioiimg lystenis allow on operator of a serWoe 
provider to ooofigura Cbe sites bo that (Hie site can talk to a second site but not to a third site. Hie servioe 
provider may be an ILEC (Icauinbent Local Excbsnge CairierX a CT.KC (Competitive Local Exchange 
^0 Caixiar}| an ICX OscomiDg Exohasige), an ISP (Eotomet Service Plrovider), and/or flie like. In aider to 
S operato properly it is dcsinble that the provisioning system be aware of Hie rulee governing Ibe 
^ caamnnnication between dlfSarwt sites of a VFN and allow configuration of the VPN based on fliose 

^ Bxisttngprafvisioning ^sbeoiB aUow an cqmior to configure xxwtingpbHa^ 

UJ 15 mnh proviaiaping of toiiting policy ia baaed on mechanigme which reqoirc extra router poflie or cjcplieit IP 
^ address prafibrloiowledge to be encode In the routing poUoy^ Tliuspdiaserviopptoviderhastoallooato 
extn servioe ports wmeeeasarily and/or Ixuplenifliit a oosQy and error prone provifliontog taski 

STM^tfARYOP THE INVB^mON 

20 Accordingly, especially with the introduotloti of newer tschnologiefl» such as Boirda^ Gateway 

ProtocoH (BOP) sndMultl^protocol Label Switohing CMPLSX torn is a need in (he art for a system and 
mediod for routing policy proviglooltig in a netwari^ auidi aa topology oonabvined routing poli^ 
piovislonix^t in a Virtual Mvate Nctwotk CVPN). fbr csansple a BOP MPLS VPN. la die preftned 
enabodimmit, the prettnt invention allows topology constrained routtog policy praviiianiQg in a VPN hy 

25 o^ituriflg the ptovialoning operator *B intent regarding tKe sites that are allowed to oonmnmloate wldi each 



A syatem and method for provisioolng routing ralatLonaUps between cuatoiser Bites constrained 
by fte topology of the VFN is diflcloaed. En the pre&rrad enabodiment, tliis is acoampllBhed by 
totoptettog the desized VFN tt^ogy as apecafied by the pxovislontng operator^ detannlnix^ llie desired 
30 routing policies between customer sites which would eSbet Ifae desized lelationaliip so as to restrict 
commualoationa to ozily those aitea wUch ha:ve die ri^t to exchange trafDo wtdi one anotfaar. The 
loutiiigxelatioadnpa then take efiBcot in the provufo 
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Hie neftodi oompriBea eoablifis sr^hioaUbr <lcfiimig of rolstioiishi^ betwtoi flie plucality a£ 
sites of die VPN end automaileally geDerathig at least QAfi foudog rule fbr eeeh aite of ^ VPN based at 
^ least in part on OedeiSQediielatiaiiBhip. 

H Acoordiiq^, It is a tecfanloal advantase of an exenqplaxy proviaio&mg system of Qie pment 

^ S inventioD that it is capable of underatanding, diaplaying, storing and oaofigunng VPNs in a piDvldar 
^ i]8tvrail& 

^ It ia anotbcr teohnioal advantage of an Qocemplary embodnneot proviaionii^ ayatem that it is 

Qj oqmble of understandings displaying; storing and configming the VFN topology, pzofbrably in tenna of 

tte aitea which are intexoomifioted by VPN eoraponenta and the type of VFN coniponeatB, vibmin. the 
0^ 10 topology of toe VPN ocaopoDeDta ^eoifiea the topology or permitted oommunlcation zdadoaista^ 

between flie aitea. 

^ It ia another tedmical advantage of A exemplaiy eidbodfinfiot of tlie present inveotian tbgt a 

QQ system and method fbr ccmiztrained routing diatributlaa employing leaned route import, learned route 

^ mpait, and route leflaotor learned route xeadveitisemeQt ftaturta ftdlitating flexftle route dJatribution 

^ IS policy ia disdloaed. A notatioii and nomenelatore fbr ooaveying import and export rtilea as uaed to 
^ pxovxfiion the constrained routing diatnliutionme^ 

l_ it is yet another technioa] advantage of an exemplaxy embodansent provisLomng ayatam that it is 

C/) espaUe of undentanding and using VFN topology for each VPN to ftoilitale oonatiuction of rules. 

QQ ^A6teintenuabandbid)^okaVFNoQn9omM 

20 diatrlbutlan and therelbre conmxinioatLona padu to only those other aftea wlfli permitted conunumcatlm 
rdatioDBbipa aa qppoaed to all altea reaohafale via an ttadei!|ying duacd packet awitched netwcnk. 

It is yet another teobmoal advantage of an ennvlaiy endbodlmfint proviaf onfqg ayatem that it is 
eapsble of ftdUtatfaag tuning of import and cscpon rules aueh thai difiexent VFN camponanls may be 
configured to ahare toutea and/or auoh that difEfarant oon^onBiita of a VIN ixmy be ooofiguied to no 
25 logger ahaia routes. ^ 

O&er aapeota and features of die invention wlQ bepomc apparent to 4io$e ordinarity skilled in the 
art upon zeview^ of the following descriptioa of spedfio oabodimcntB of the invention in ooit|unot(on with 
the aooonq^anying figurea. 

30 BMHP DBarRfPnON OP THE DRAWTNOfi 

For a more conqdete imdenrtanding of the present invent flie otgeots and advantagaa ttiereo^ 
rc&reaoe ia now made to fte following deaor^tloiis taken in connection with foe aooon^anying drawings 

in which: 

FIGURE 1 shows foe topology of an exemplary Virtual Private Network (VFN) aooording to a 
35 tapfened embodiment of the present invention; 
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FIOURB 2 shows an amajfiary soreoa display of a prefared embodmiazit of a managemetEt and 
oovtml system of flie pomoDt invent^ 

FiafURB3 ahowB a preferred ccibodimont block diagpam far Route Taiget procegBfag wiSBabi the 
Provider Edge node servidxig a Bite; 
5 FIGURB 4 flhowB an exaoiplBiy soreea displ^ of ttmtiiig pdicy for a site of the network of 

FIOURB 1; 

>- FiamSSdiowsaadiBtiiaticdiasrainofaaflKeii^ 
Q n(HJRES6A.4D«bowfheyBrioi»rtagcataitfaopro 
Q SaccQRliiigtoaprefbnndeinbodlmeatofthepvose^ 
UJ 10 

^ T>BTrtTT.Bn nnSRRlPrrON OP TBB.PRAWINg8 

<^ The preftmd embodiment of the preaent imtaitlGa and Ua advantages ate beat understood by 

^ ipf e nm g to FI0URES 1 through 6 of the drmwingi^ like sunatalB being used fbr like and oerresponding 

^ parts oftiieYariooB drawings. 

^ 15 FIGFUREl'diowBthetapcdogy lOOof aaecMn^la^ 

CO Private Network (VFN). As illustrated in FIOURB 1 tqwlogy 100 oonvxiaea one or mm VPN 

^ oompMimta 102 and 104, Eaehof ^ VFNoonoponentsmayhave exdmahubH^kDeo^ 

meah oonfiguratkm. In flie emmplary embodhnent of FIOURB 1 oonponent 102 has a hnb-spoke 
configanrtkm and oog y onen t 104 has a xnesh oeniBgttnrtion. Topology 100 alao oooqnisea ene or mara^ 
20 sites 106, 108, 1 10 and 112 couneeted by an undedtylng netwrotk 120. 

It ia a uaique ospeot of Border Gateway Ptotood 4 CBGF) and Multi-protoool Label SwitoUiig 
(MPLS) VFNs ibat tito VPN oomieotlTxty is pzovi ded by a dedfeated provider edtge^ustamar edge ^B- 
CE) peering relation eomb hied with a shared paokct-ewitchcd network operable to deHver packetizcd data 
between nodea/altes thereof in an app ro pria t e ly ffarmatted protocol^ e.g. IPp User Datagram Ptotoodl 
25 (UZ^» and/or the Uke. The underlyfaig network 120 may be endxxUed with flxiy nuniber of general 
traumiflBion teohnologiea. hi an eoibodiinent, the undeclyhig network 120 is a fiber optic netwmk 
oanying MPLS and IP formatted data fterebetween and, aooozdinglyi Ibc nodes maybe fmplfmenied as 
optical tr8nq)ort nodes aMbou^ 

of the invention. While fhe present invention oantenqilatBa an implcmcntatioa on an optioal network, the 
30 fan/ention as deaoiibed herefai is not intended to be UnaitBd fliereio and, aeeoidhigly. tmdex^yfaig network 
120 may be any type of netwodc capable of padbe^switdied data transnusaions between veriotts nodes 



hi tiie prcfezred embodiment, the BGP MPLS VPN topology Is governed by oonBtralned 
distribution of routing infannBtion between Bites using the oonoept of Rouio Target ettribiitBs wUoh are 
35 sent with routing updates. Any two sites of the VPN whidi are able to ehare routing information are said 
to be topologioally related* If an underlying network transport noeohenism, such as MPLS, exists to 
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BOGUidy G&zxy packets b6^TOea Bttfifl 
overthfiVFN. 

Sites vMtih ore connected in a mesh configgratiqn may flocohBDge padoolB wUh one soother. The 
mesh interDonnflctlOin ifi usefUI fiar oomnectbsg site8» BVuih as legiamil hfiadquaitBrs so fhat tbe diflBereixt 
5 tegiocal headquarteois osn exchange data with one anodier* hi die preferred embodiment^ a meah VFN 
QoaxpmmtanpljoyBomRa^ AB<3PpiXKefl9 eexvingeach oflhedtesbdonging tolh^ 

niedi ixDports ttmtes tagged Koiite 

Sites winch are oonnected in a hab-qpolce ocmfigttrRtion typically have YOfltriotUms on the 
I exfihange of pHoketB^ A she wfaidi is a hnib may exohange paoketi 

O 10 viMe a site whiob is oooancctcd as a flpoke may only exchange packete wifh tiie hub. The hub-spoloe 
atnngBnicnt ii uaeftd for CQonecting sites, auo^ 

ttgional headquarters, 'hi such an anangenaent; flie tegjonal hftadquartcre conld he the hub and flie sales 
ofBoes oouldhe tiio spokes, lima, data dom the sales office in a partiDular tt^oa oen be tnuuDEutted to 
the regional headqiiartexsfiona where it nd^ he seat to ofbar sales oflBoes in Oio same fegiaa or to Ihe 
^ IS headquarters of a diffmnt region. 

^ hi Oie jmfsamd embodbnenl; a hub^spcdce VFM component employs two Route Targets ^ Th(x) 

H fbrtbehabandTb(y)fbrQiespoiES. Ihe BGP process serang Ihe faab site fatqmrts nnites tagged 

UJ TB(y) and eacpaitB routes tagged wiA th(x). Hie BOP prooeas serving ^ spoke site imports routes 

^ tagged with Tfa(i) and eaq)orta routes tagged with Ts&>. 

20 b tfie emiBplary cmtbodhneot shown hi ITOURB 1. sits 1 is a BpdkB of faub-qpoke VfN 

oonyioaeet 1; atte 2 is a qxdce of fauMpoke VPN ooo youeu t 1; site 3 is the hub of faub-spohe VFN 
component 1 snd is also a ngmber of medi VFN eonaponeat 2; and site 4 is a naembsr o£ noesh VFN 
component 2. Thus, site 1 can oioly exchange packets wifli site 3; site 2 can only eTwhange padketa with 
site 3; site 4 can on^ exchange paok)^ with site 3; and site 3 can exoha^ 
25 site 4. Conneotiona betwran sites and VFN oomponcaitB en representative of the VFN topology and 
eonoeotkms between die site s reflect die o onstcsined topobgy upon which provisioning may he based. 

Route Targets may be used to desotibc die topology of a VFN, fbr exanqde the pemoittied 
conUnatlan of sites vidiich may oommonloats aeouiely over die VFN* A Virtual Routing Forwarding 
(VBF) tshle assoolated widi a particular site S ia populated only witli routaa ttmt lead to other sites wUdi 
30 have at least rae VFN in eonomoawifli sites. Thie pigvcats comnfnirtioBtian between sites wMoh have no 
VFNfaicomnuni. Every VBF is asso ci atPd v/hh one or more Route Iteget attributes. Tliese are carried 
in BOB as attributes of the route. Any route associated wlfli a Route Target T is diatrfbuted to every 
Provider Edge CF]Qromertiuit has a VRF associated widiRou^ When suoh a route is received 

by s FE router^ it ia eligible to be jnatallcd on duise of the PB's VBF^ which are associated widi Route 
3$ TaigctT. AnBsqioTtTargetlsaHoutsTargellhat aPErcvter atiatdieatoaio^ 

An hnpoct Target la a Route Target tliat a PE router uses to determiQe wfaedicr a route received fiom 



PA6E1]ri40'IH:VDAT8lim64:33:10PM [Eastern D^^^ 



flug 10 2006 3:44PM HP IP«GRGUP 



2815148332 



p*14 



WO €2/099571 PCT/US02/17056 

anotlur PE xtmler ooidd be plMcd in Ihe A perdoidar VPN IPv4 louto ie 

eligible for tnatBUstson in a parUoular VRP If thert is 8ome Route Target ia both one cf the touto's 
Route Targeto and gqx of fte VSF*s Import Tiarget. 

The topology of a BOP MPLS VPN is cot immediately evident ftom the capabilities of the 
5 underfying transport network which may otSa commumcation between all FB nodes, Tberefiarej an 
undrntamUog of the apphcation of Route Taigets, their import and export control, and BGP protocol 
bdiavierigdeeiiabletoproperly determine the topcdogy of ^ It is deniable 

>- that the pwisiaoiDg qystem bo aware of fhe roles govoning conmnmication between ditSbrent sites of a 

Q VFN and aUow oon£lguration of tte VPN based on those rules. 

O 10 Fteftrably a Management and Control System (MCS) 201 ^OCRB 2), wUob is prefMbly a 

yj oUentwrver baaed software ^stem* is utUised fbr topology oonstcsined QoS (Qnaltty of Servioe) and 

^ * routing policy provisionix^ aooordirig to the preftnred embodiment of Ike preaoit invention* A user 
^ intarftce 200 assooiated wifli MCS 201 allows a proviaionmg qpeiatar to gnphioally emte die 

^ topological relationship between diffisrent sites. User intarfaoe 200 prefimbly also aDowa the 

^ 15 provisioning cqMsrator to grapUoalty setoip QoS and Touting relationships between ^ dijSTexwt sites. 
^ However, u$er inter&ce 200 oxily allows QoS and routing rtUrtionsl^pB to be atUxp based on the 

CO eonstrsitilsofliie underlying topology. Tfaus» >y being aware of the rules ooriespoiidfaig to tlietopology, 

^ MCS 201 bUowb proviaioning of QoS and routing rdetionsihxps based rai fto topology. MCS 201 

esptuies flie proviaianhig <ipatator*B intent perfbrms fhe desirable vaHdatiosi andlnndatlon into routing 
20 ndcs for different altss of tiie VPN, atoiea Hie JnfixmatioQ in a databaaef and tranamita it to the 
apprqptiata nrafiarsp awitehes and/or dMiees of fhe netwoilL 

A poinlii^devioe» such aa a mousey a traeUaU and/or the 1^ pointer 
on a display may be used* The grapbioal pointer is used to provide feedback to fee proviaioning operator. 
Utilizing Xba pointing devicoi die provisionitig operator may point to a desiied selection and receive 
25 feedback by viewing the srajAicnlpomter. Furtfaennore, pointiiig and olickhig on a representation of a 
VPN element by lasepbiB ttie button of the pointmg devioe dqnresaed would allow the provisioniflg 
opexator to ^drag* (he BdoctedVPH dement ReleasingAebuttonof die pohxting device would allow 4ie 
proviakming qpsratv to 'drop' flia seleotBd VPN element 

FEGURE 2 ahowa an cKemplazy somen display of the pcefined enabodiment MCS 201 of the 
30 present invention. User inteiftQe 200 of MCS 201 proftnbly oomprises a eonfiguration area 203p a 
€nstemerarea211 andadiq>layarca212. FreiSBrablyllie VPNoon^gmtiooioqp^^ 
diddng on a Config icon 202. The confupsntion application prefiembly inchides one or more tabs fiar 
selecting fhe ConQg task areas. For example, as ithistrated, fee conflguzadon applieatkm tnoludes three 
task areaa- Peering 204, VFN206 and Admin 208. Each task area pre&rahlydiaplqrs a VPN tr^ 210 hi 
35 customer area 211 wift the appropziate datti included in &e tree. Display area 212 to the right of VPN 
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tiM 210 oanlumdliftreatvtews depend!^ Ibe views may be 

Usti giupMoal, DO coa3tBxt» find/or fto Uks* 

FIGURE 2 ahowB an wonQslazy BCiem display whan tha VFN tab 206 Is selaotod. Witihin the 
contoRt of ^ VFN tab^ an operator oan toggle between oae or more views VFN topology, VFN QoS, 
Topology/QoS Ovarlayi and/or tfao like. Fi«ftnbly, the vie«r osn be changed by aelcctmg ti)e npgropdato 
view under the "View" puH down zneou. 

VFNtzeeSlOsfaowaacoQitaiimieiitidati PcefenbV 
whan ooniagorfaig VFNa, VFN tm 210 mcbides one or mo^ service 
provider* ouatomers, altas, site faiAcxftoes, VPKe, VFN eoni pon e n la, VFN fotsrfboes, snd/or the like, fa 
tbe prefaied enflsodment, wlm te aeleotd 

preftcably eontains Qo5 timiplsfFW, fbr eocaniple^ fibr dif!breiitiated serviocs (pUBfw), poliomgt IP header 
olflSSiflcwHon^ queuing paramelBrB, and/or the like* Pieftebly the dUStaent dMa categories Bppe$i aa 
fbldaricona on VFN tree 210» Olgeet instaaoes reside witUn the data category ;fi>Ider ioon on VFN tree 
210, Pteferably there is no category fioider ftur Service Provider aa in the'pte&ned eoaboduncpt the 
provisioniAg operator will be logged on aa aropreoentaiive of apartioidar Servioe Provider. 

A list view displaya die items oontained wilfain (he current VFK tree node sdection. For 
eicanvle» diddxtg oa the Customete fbldear piefmbty diaplaya a list of all oustomera in the fidder, 
pTDftnUyonsperraw. aiokfa)goaatreeleef-ftrexampIe»a8peeiflcfiHte 
as a sin^ tsble row. 

hi theprefinzad embodiment ftr VFN tab 206. Oe list view data Snrvaxioua tree dements is aa^ 
diDwninTUblel: 



TBEB D ATA BLKMENT 


LIST VIEW DATA 


C^iftomer 


Name* Postal AddsoBB, Billing Address* Shipping 
AddresSi Ccntscthifisixnatlon 


Site 


Ttoei IP Address, Contact Route DtstiiiBuisher 


^btcciaee 


Name* hitetfaoe IP Addresa, Subnet Maak, Route 
Distinguisher 


VFN 


Name, ID, Type 


VPNConpoaent 


Name, Componeni Number* Component Topc^gy* 
Frimazy Route Tsiget^ Secondary Route Target 


VFNhtedtoe 


VPN ID* VPN Companant ID, Convonent Role* 
Primazy (BoolcanX Meoaber Label 



Table I 
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viewpre&raUy shows the VIM oomtMme&ts and the assooktedrclaitioiDsMps for dio 
mM recently selected VPN. If Ifae user clicks <m a zum-VTN data iion in VPN dee 210t such as a 
oiistoiixer» file nwst rcccotly selected VPN remains on the grst^oal display. The individual VPN 
elements tnay be shown graphically. ThuStasdiowninnaiJRE l^afaub-spokB VFKoonfion^ 
S shown by a triangle; a moah VPN con^anent may be shown by a cirde; and a aite may be shown by a 
reetsQglc with a label in the center* Preftrsbly e single click on a VPN component seleetB flie 
ecsnesfpoodiss entcyin VPN tree 210 sad a single elide on a lizdc between a Gompcnent 
selects tbo caaespondtog VPNinterftoe in VPN tree 210. 

UtUiaiog ttae user intarftoe of the present i&Toilion a VPN, a custamer. and/or a site may be 
10 sdded by xl^ olioUixg on a customer entry and making fiie opprapEiatie selection ftom a pop-qp menu. 
The details for Ifae parUoula; selection osn then be filled in* 

For examploy a site interfhce nuy be added by right clicking on a dto enlcy sod msiking fiie 
sppropriste selectian flxnn ttie pop-iq> menu. The details for tfie site interfiu^e can then be filled ini The 
rite interfince details window preflsrably oontalns one or more of fiae following data fieldfi to be fQled by 
15 flie pravifttonmg opeiator. Name^ inter&ce IP Address. Subnet Maslc; Route LMsHTigniwhcr, and/m- die like. 
The deftiitt site interlhoe name Is the oustxaner equipment name concatenated with the interftoe IP 
sddrass. A site istecfiMO may be dispisyed on OegcapiUosl view by drsggmg and droppiog one cr mose 
dte InteiflMes ihim VPN tree 210 onto a VIN oompoQBnt on VPN tree 21^ 
When a sito nitofiioe is added to a VPN convoDant on dio grap^^ 
20 graiddoisaddedtotliegrBplblcalvl0w« Aco3ieq;)QndlngVPNlntexfl»elso(estedi&VPNtree210undtf 
die conqxmont The name ofths VPN inlec&cede&ults to VFNlPn where n is the next av^ 

A line dealgoatfaig a site's membmhip in a VPN conqponent oonneots the site to the VPN' 
ootnponent. K the VPN cmiponent is a hub-qpoke VPN oon^ 

hub sad other inter&oca become die flpoke. If dssixvdpbowcvnrittiedosignatianof sninlerfaoeasalxub 
25 or B spoke can be bhai^d. AlsOb if deairedp a de&ult oommunieation chsond, such as a hosey Is added 
between the site and the VPN oomponent A defindt PoBoing template and DifGBerv template sre also 
prefitably applied to Hie communication chaoneli For escsmple^ a definilt poHeii^g templatB msy be tot 
Best BScrti^Q) traffic to the line rate and a tmfSoetrvel^ AttmatlveV» user provisioned 

deikults msy be used, jf deaiied* 
30 AVFNcon^onmtittybeBddadtoaaeidstingVFNeDtrybyrig^^ 

♦wnVtTig the s|jpfoprlat)e nlootion from the po|MQS fRftnti. The detsils fisr the VPN oomponent may dien be 
filled in. The VPN conqionent details window preferably contains one or more of the following data 
fields to bo filled by the providoning operator Name» Component Number* Component Topology^ 
Primary KouteTarg^ Secondary Route Tearget;, and/or the like. 
35 nOllRES ahowsapteifeczedenibodimBntblac^diagrBmf^ 

PEnodeservidngaaite. For eaeboustomGr site linked to a FS^pre&nblyfhsxouoiieEa^^ 
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Mi^td Router OSVPR) itttaoM cm that FB. TIm EVFR iturtanoo is raqMosiblo for ono or mm of the 
fbSowiDg operattona: eopqitins Cust o me r Edgo (CB) route advertiBemen^ eooepting selected Bct of 
zouteB ftotn a route jroflecta* whetc ifae BVFR haa VFN mambarsfaip; distributhig routi&g mfiaxmfllioii to 
(meor morermitei«<tefitoiB; Biul/orfbcli]^ Routing infbmalloii eAoeptai^ 
5 Routs Targets (RTb) in the advali^iiusnt ftom ttw route re fl ootors. The aooqited routes ate prefarably 
fldvertlfied to the CE router. If desixedt tiie aooepted routes may also be Installed on flie FB to CB user 
poxtSi 

A route la imferab^ a set of Litsnut Ftofiocol (|F) addresses and la apeeified by tliB eooimon 
insfix of the IP addresses. Tbus, fbr csunqile^ Hie loulie fiir a set of deivioes wlflt IP addresses 10.0.0.1, 
^ 10 10.0.0.3| and so on, is speolfled by the oonmm jmfix 10^.0 A A route ftsfleotor is probrabty a 

Q router ftat has infonmrtlon about difiEerent routes. The Infonnadan aibout diflerant routes Is pteftrably 

O stored in a routing table assocteted wttfa Hie router. Routing infbxztialioa from the route leflectaa of a 

LU VFN msy be aooessed by difEmnt menibers of the VFN depending on the type of memfaearah^). Each 

OQ VFNimyhaveoxie or inore route reflootofB. 

^ IS As sbown in HOURE3» at aite level 302 there are two types of itn^^ 

^ detennlnlngwMohroutBa are aeoq^ledBPdwhkfli routes aie 

^ acrviittllia site: one or more inportndea 304 and 0^ Atportlsvsl 

^ 312» Ibcre are one or more looal export niles 308. Tlnss^ in the preferred embodlineai; fhme types of 

CO touting filters or routing rules are automatleally ganfirated and used for provislottlng routing poUoy. 

QQ 20 Routes 310 ftom one or more route reflectors arc received by invo^ 

306. Tbe reoehfed routes ere filtered by inqxxrt rules 304 and "leaked** u> fhe c or re spon ding F&CB 
' routing ptotoool. The routes socepted by ttoPB-CBpeerit^prolocolacoprefbrab^ 
and installed on ftie oocresponding network processor. Routes ftmn PE-CB routing protoocd are reoeivBd 
local eoqiort rules 308. Hie received routes are filtered by looal ei^ort rules 308 and fhe filtered routes 
2S 314 advertised to the route refleoton. 

Import rides 304 prefbraUy speeify fhe set of rmitea received fiom one ot more route refleotorB to 
be leaked to the oorreipondiag PE-CB routing protoooL Tbo filtaed routea snay be advertised and 
mstelled on usor ports aaaigned 10 a particular aite^ PteftamUy^ no httra^site ttafBe ia allowed. In lite 
prefined ezhbodiment. one or more of &e fbllowing route Infbnnation items la available flom the route 
30 lefleotor - Route Dlsitngui^ CRD)» Route Target (JUT), Site of Oiigfai (SOO)» VFNJD^ Internet 
Protocol version 4 CIPv4) Prefix^ KadBogSvb and/or tbe like. Pieftrahly, tiio infimnation iteoos are 
denoted as a 6-tuple 



{RD, RT, SOO, VPNJD, IPv4PrBfl35, Itocffloplofb} 



35 
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Hcsw9vcr, &e invQiitioa is not SO liflsi^ 
any oBifir suitable notatlaii or nomBDolBturci tor ^xamplo^ as a znafiifimatlo&l saqmssfon, as route map 
oonmunds, and/or fte like. 

A RD is prefiarably used to allow areatiDn of distinot routcB to a wmniftn IPv4 addms preflbL 
5 Frcfi^ly, llie ia> does iiot paitkripat^ HiaRD oanbe apiopertyof or 

bea8aooxBtBdwilhaiieoriJxmoftefofiowiiig:aBte^ Mthe 
prefbrad cmbodlaMiit; tbe BD la aHooatad oq a par VPN ooapcsmt beala. Sinoe a HD ia used to 
distiognUb diffannt IPv4 zoutes, 
^ a t taehod to fhe mate per ad^wisanent Alao^ one route may be advertiBed -miiltiplB times by tigfag 
10 difibtatfRDaaiidposBibly wi&dUSsrattiu^ Theassootatlonbetimanutee nodSDa 

O ispreltanblyperfoattedvnfiltnnarTi^ 

ARTlBp»ftt«b]ytsscd to ooniralToutodis^ A8 dUboaaed above, preferably 

tbctc aze two types of VPN ooxnponeaiB aa defibied 1^ MGS 201 - a mesh VPN eonqpcment and a bub- 
^ spoke VPN oompancnt 

15 Ihilie mesh VPNoon^onent, the xoutingi^^ 

^ mesh. Preferably, one taqnztRT and one export RTti If there is no 

< ranting poUoy inqwaed cm the routing dlslxlbuEtioQ. ib» impoit RT and ibe expor^ RT aze tfie sauia, wlnA 

^ is Hie dnfeuU bdiavior set 1v MCS. Tbe in^ort RT and expon RT tn^y be inodiftod so ^ 

Uj pollexes maybe qyplied effieiaitly. 

20 la the biib-apdke VPN eompoiieiil; s^^ 

direct tartQMpokeoomnmmoBtian. Ptedbrably.ftebiifa ahnlsasBdgoedoneRTwUcAlsto 
the spokes and the spoko sites are assigned a diSstcnt RJ to be imported by the hub. The assooiatloa 
between rotxtes and RTs is preferably perfomied via fflters or rules, A hub-qpoke snrangement may be 
tiseftd in Hic feUowing eases: oenttal eerviees site, flznwall sitop and/or die hke. A Dentzal Bervices site 
25 servioes die spoke snd dnis, feere is no requimEnest fbr inter-spoike oommunieAtion. hi the ease of a 
fl^fwaUsltB^ all feecommnniflatlon between tJiespc^ whicbaotsasa 
hub site. In order tn gnablB fiiwnll opaf flttoBB toport: miA isyiirt mj^i mwhrniffms may br mbitH. 

The Site of Qtdgtai is pveftnbly used to identic ttie original site the route ia obtained fiom and 
onoe assigned is pre&nb^ not modified. Tbe VBNLn^fidd is pceAffstbly need totals 
30 mite raflector. For is^iort rules, the VFNJD field is prefenbliy nrad to sdeot the ro^ 

VPN ID of the route mfleotor. For export rules, the VFN ID field is preferably used to sdeot the route 
refleotDT fixe irmte is to be advertised to. For provisiamiig routing policy diroug^ MCS 201, NextHopilnfo 
iaptefbrably a speoificationofd^a user port to which 11^ site intci&oe is coxmeoted diereby leading to Qis 
next netwodc hop towards a gtven IP prefix Ibr psoknt trasandssion purposes. & is speoified by tbe 
35 hxterfeoe Index offte local FBservfaig the site. For route ad^erttaement purposes, dw NMEbqpbfb is 
prafefabily a qseolflcgtlon of the FB and die user port to wldbh die remote site inteifeoe is oonneoted 
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tfaPBOlVHUk. 

In Hie preferred enibodimeiit, all loutes tana the route rdStectors m used ft8 input to ixoport 
Tulos/Sttan 304. In fhe prefbrred endKidimfin^ ifae rule operBtes on aD fields 6f die 6-tuplB to provide 
5 maximiiin HexMHfy. HowfiYor^ if desired. Ae rule mey opeiato on ftwer fields. For eadh &ld» mocpt 
the IPv4 prefix field, to be compazed a oozieapoiiidifis nadc is used Ftefiertbly, if the mafik is set, the 
value of the field is to be ooxppafed IfflieniadciaiM>t8et;noo(ni«»arificm 
to pass BigolfyiDg thai ttieiaote passed the filter and 
>- widitfie filter eetiaD. llwfiddiiiayalsobeeettopaesif fliecordparisonYe^^ For the IPv4 

Q 10 proflxfiflldiaseGcmdxnBdc'wUehisprefiad} 

O IPpzefix. The IPv4 prefix rnaak is pxe&nbly applied to the Thestatus 

yj <tf ti)eiPv4MdiB settopassiftheoooyarlsoixitesaltisequaL Tbefilter aottaaisiiwclfiedciily if all 

fields offlie6-tuple are set to pass. 
^ Thus, the generic speoifiofitioii fi>r an ioq)art rule 304 is given by mask {Ol o| 1, o| 1» 0| U 32 

^ IS bit mask for IPv4 Bneflx» 0| 1}» Value *> *, *, actio n-permi t I deny 
^ However* the ixiventLon is not so limited an^ 

1^ noay be expreseed in any otfiar euitable notetloti er aomenolaturei fbr eMoample, as a mathematleal 

QQ I1iufi|,lbreRanqdeb toexdudeatttherevlesarigmatmg 

20 tl^e import fide is speeifiedaa 

maakiO, d 1» 0, 0, 0}« VBlue(Op 0, sl^ 0, 0, 0}, aetiomeject (1) 

Ibis role is pxeftazab^ fhe default rule Har all ahea, nvherein die sits is si. Tba rule pi ^ veuto the 
25 possibility of re-advertisement to the CB thereby preventmg a possible routing loop in die prooesa. 
For a site to aocq)t routes with RT 'ztli dMi bi^ortnde is prc&SB^ 

ii»ak{0, 1, Qt 0, 0, 0>, VBtae{0, rtl, 0, 0, 0, 0}» ufdWPTfaoAt (^) 

30 Sinoein the above example, fhe RD maakis zbkd^ therefive fiie RD field oonqiarison would be set 

to pasa. Tbe RT mask is one^ diero&yre die RT ooiiq;>eiison is performed and only set to pass if rtl - rtl » 
which in dus ease is true. For eaoh of the remaining fields Ifae neak value Is zerQ» there&ie die field 
oonqssrison vrould be set to pasa. This rcsutts in a tuple» such as {PASS, PASS» PASS, PASS, PASS, 
PASS}| in ^Aioh case the action should be appUed to Reroute. The inqsort rules (1) 8nd(3)niaybeu8ed 

35 as de&ult rules if tliere is no other routing policy involved. 
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Remote export fuks 306 preferably associste a particular tx>iite frcmx the route refleotom trtfii 
tafccmiitioin itoxxu, sueh R8 RT, SOO. VFNJP, IPv4 prefix, NcKlHbpbfi)^ ead/or like. Remote 
export rules 306 ecre ptt&rAUy used to perfiumre-fldvertiBemeQt of ^ Toutes to the route reflector with 
optionaUydifferaitNexaiopIbfo. Thia is aooottglishedln partlay attaoMng a diffaent RD to the routes 
S in otdar to avoid duplioation inside tlie route zefleotor. Id the preferred embodiment loutss advertised 
fiom the itMiieiefleotars abused as Inpirt to lej^^ Hie accepted rmitos are preferably 

advertiBed to Ae route zefleotors fionx vidierc Hno routes wefe obtsltied with a diffeiTJil RD and diflhrent 
nsxt hop infiiaQationk Preftiablyi to aegthop Initanpatton in a remote catport rde is configured ^MCS 
^ 201. Pkefaably* routed are le-odvsrtlBod to llie Mune VFN onb^ and not xendvcrtised aoxoss VPN 

10 boundaties. Axiy routes ivliich are not aeoepted are dlsoaided^fbrex^^ 
Q typiosUydisoarded. 

yj Local export rules 308 prefcnbly associate a portloular IPv4 route froan tB^CE routing protocol 

yriOi infimnation Items, such as RD, RT» SOC3^ VFSJD, IPv4 prefix^ Nocfiloplhfb^ and/or the like, b 
the preferred embodiment routea obtained from tiic FE-CE routing iax)1x>c<4 9it used as input to local 



CD 



^ 15 eoipart inlea 308. The accepted routes sre prefionably exported to the proper route refleotar. Pfeffarslbly, 

^ ifaa next hop initannadon in a loeal mpoct rule is automatlcany generated. Apy routes vAioli are not 

^ acoepted are dvcatded, &x cxamplCi routes &om tbe same site are typically disoai-ded. 

^ The generie speoifloatlon for a remote eaqxxrt rule 306 and a local eqwrt nde 308 la given by: 
LU 



QD 



20 mask {0|l, 0|l, Oil, Oll, 32 bit mask br IPv4 Pkefiau 0ll>. VaiLua % *i 

aetlonnq|eot{Booept vrifh {RD. RT| SOO^ VFNJD» » • NBQ. 

However, ttxe invention is not so limited and if desired tbe generic speolfioatian fbr a Toaaote 
export rale and a loeal export rule m^ be expressed in any oflur suitable notatiai or xioaienclature« tor 
25 exanqile^ as ftmafhematioal expfessioo, aa route imp eommaods« and/or the lihe* 

llie<s^HgQifios1battiieiPv4Pte£biiBtho^^ NH sigmfics oegct 

hop iufbruiaticii to be attadted* 

Thus. Ibr exaoifde* in order to export the loosl obtained xonlea fiom port porS with rtl, rtd. to 
30 VFN vlitfielooalexportrule is specified as follows: 

mask{0» 0» 0, 0, 0, 0}^ value {0» 0, Oj 0, 0, 0}» action*f»cmit witb {rtd« rtl » sitaB. vl, % NH}i 

^vbereNHisftenextlic^fbrtberoute* Pteficrably.diiB is &eIatBrfiu:eIridex fbr tiie local port of 
35 the FB connected to Ifae site &cm where the particular route is obtained, fbr example^ tlie port scrying 
siteiB^ and the advertisiQg PB BVPR addiesB. 
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Pt^fbrably, routes ftom a pertloular route reflector arc not distributed back to the same route 
rcflectDr. Thus^ the ^collision nil e fbr routes obtsined fiom fhs route refLeotor is pn ferably ^eolfled as a 
definiltndA of the fozin: 

5 ina8k{0. 0, 0, 0. 0. 0>, V8lue{0p 0, 0» 0^ 0, 0), aotloiiFdeiiy. 

bi the Ditl b ir e d enibodlmen^ flrewell operations roquhe the xedistiibutioii of the routes from the 
routtratleotar. Qnearmore do&iittemlusloanAeBiiiflybeuwdtolliis AameinplRcyimitB 
>- export nile ttiat may b t tised is spooified below: 

o 1^ 

LU 

QQ vnhm Z is flie tiext hop Bpeolfioatlo]) fhr a local port of the site. FtafiBnibly« a Ust of aoch 

^ exoiuaiQn rules is desirable fiar each possible value of Z. 
15 EIIGURB4sliowsaaexeniidaiyacmndisp^ 

l_ 1. IbexoutingpoUcy tablebas apluxafity of ocdu^ 

CO lPv4^ Next Hop. AotiotitCommentatid/orOieU^^ MCS201pretobiIy«utoinalical^genentesaxDii^ 

poli^ table for eooh site of ifae VFN based at least in pert on tbfi provialoiiing cqiMralor's intent as 
20 q^fiedgrq^celiy by tbeproviaioniDg operate The routing policy table is 

generated by MCS 201 based at least in part on IliepdHdesdisaussedhBrefae^pecla^ 
nOURBS 1^, 5 and 6A-6D. 

As abown in FIGURE 4, ^ insert rxilea/fiHoTB section }m three (3) nxlos. As can be Men finom 
the connnent Beotion for rule mmdser 1, if a particular site receives route tnfbrmatian fiom itself tlsat 
25 infbmiatim is discarded* Tbis is specified m t2» table by settixig difiPercot values tar Hie different 
cdhmma. An **Auto*' value In the type oohnnn indicates Hiat Oe nde was automatically genecated by 
MCS 201 based obl the grmdiical provisioning pniferm e d by iiie proviBiontDg opecvtar. ISnis, rale 1 
specifies fbatfo any route oooung in wMohtnatchBS any KDa^ sita of origin is 

the sanu site as the site being apeoifla^ fbr example in <he illustnl^ 
30 is a'1tB)eof*» fisat is fiie route is discarded. 

Since site 3 is a member of VPN oonqianent2, tvhiohis axnesh.rulexiuDibcr2ofti!eiixipQrtru]e6 
section specifies if any routes are received firom any site in the mesh, Iben tiie acti on taken by site 3 is 
sn '*Accq9t'^ that is any routes advertised on tfasineeih are xDVortcd^ Thus, rule 2 q^eolfies that 
any routes are advertised in llie mesh with a particular Route Tsrset, fin esample IteClOl.l). are 
35 inqiccted. The Tm in the RToohmia stands for t arg et m esh. 
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Since site 3 is a hub ftr VFN ooxzipoxMsst l.wluohlflaliab-spokB, nilex]mib^ of ftein^oit 
rules section specilGiea that if any routes ere received txm any spoke sUb in the hub-spoke, then the action 
taken by site 3 an ^Aactpt\ flsat is any xautes advertised on fhe hub-spoke la spoke are hiqmted by 
slte3. Thus, rule 3 specifi«» that aiiy routes that are ad^ 
5 Targert» for oxanq;>lc Ts(100«2), are hnportecL The Ts in ^e RT cohtmn stands for tarfet spote. 

As shown in FIGURE 4» since site 3 is a mettiber of two VFN comBiiaezitB, die local coipott 
lules/filten seodoD fiir site 3 has tyo (2) rules, higeneral^anymemberof ani^VPNoonq^^ 
advertise routes using fhe same RT. Iherefbre^ pitdbrably the RT vahio fbr z\da 2 of tiie inport rules is 
die same aa itas RT vahia ftrnde 1 of fhe looal expotrt rules. However, in dte ca^e of a hub-voikB. two 
10 RTvahiesatoemployed^ The qiokoa advertise to die first RT,$ayT8(y), but im^ 
SEyTh(iO« On die other handt die hub adwrttses to the second RT| say Th(xXb^^ 
^ RT| ssy TB(y)» wlnoh is bow all spokes have adrartised dieir routes. Thus, pnieiiibly the RT vahie for 

Q rule 3 of the importTulea is difiBbrent fiom the RT vahie of ndo 2 of tha looal exptbrt niles. 

o Line 1 of rule nurobor 1 specifies fliat site 3 will accept any route that oondtig in and line 2 of 

UJ 15 rule number 1 q;)eoi&s that site 3 VFiU adyertjuse diose 

CO line 2 ofrulenunjbcrl,lfaB routes are advertised wid^ astheRDiiteDi8dngBiflhar;avdtuo 

^ of lOl.l as the Route Tafge^ site 3 as the site of origin; dio dicot intranet aa tfaa VfM; and d^ IPv4 

< address ttiat is betogadvotised An vake m die IPv4 address field IndloattM di«t d^ 

^ address diat is advertised in not dhaqged. 

^ 20 Unelofrulonmiflier2ofth0loealcKpcrtrideS0pe^ 

^ coming in and line 2 of rule number 2 speodiies that site 3 will advaftiae those routes to die htib Route 

QQ Target. As iSustisted in line 2 of rule mimber 2, tbe routes are advextiaed with a value of 100.3 as the 

Route Difitlnguisher; a value of 100.1 as the Route Tsfget; site 3 as the utn of orilgin; die client intzanet aa 
die VFN; and die IPv4 address that is betaagadveitised. An ''^^ value in the IPv4 address field indicates 
25 diatthevslttecf IPv4addre6Btb8tisadvetti9edinnotchai]|gBd. 

The remote eacpottrules speoU^ wMdi routes fimn whidi VPN components xn^rbe adveitiaBd to 
odier VFN oontpraentsdMidiytaridgfaag different VFN companantBc^ fa die emnple Hhistated 

fa PTOUBB 4 routes fioni one VFN coiBipogiBnt are act advertised to other VPN ooaapoaettts. Howevar, 
d» inyenlkn is not so liznited and if desired, footsa fi»m one 
30 VPN oonqionents. 

FIGURE 5 shows a soheniatio diagram of an cotettqi^^ VFN 500 conqsrises a faub- 

QKike VPN component XI (502) widi sife SI (504) as die hub and sites S2 (5O0)» S3 (508). and $4 (5 10) 
as die spokfis. VFN 500 also oon^ses a mesh VPN component X2 (512) with sites SI (504) and S5 
(5 14) as nxoobeis of die meah. 
35 FIQURBS 6A^6D ahow Aa varioui stages in the provisianing of (he exemplaiy VPN of PIOURE 

SaoconlingtDaptafteredemLbocbmBntoffliepieseatinv^^ Iho Allowiag tenninology is used widi 
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respfictto PIOUSES AoustomcriBdmotedaftCL AVFNfbrcnastomffCl IsdeMted'aaClVl. 

A oosqxxieQt of VPN ClVl ia dmoted as CI VlXl. Tha Routo Disttceuiaher t» oaatptmetxt CI VlXl » 
denoted as CIVIXID. A Route Tax:get for afaub of ooii4K>ziait 01 VlXl is denoted as ClVlXllli and a 
Route Tnxiset fbr a apoka of ooir^ne&t CIVIXI ia deoHited as 01 VlXlTs. A IRoutc ThiKct fbr a meah 
S VPN oooqKiaent CI VlXl la denoted as CI VlXlTkn. A aite fhr custDmer CI ia denoted aa 01 SI. 

PIOX^RE 6A abowa llie additiQ& of ^ €181 aa a hub of VfN oaoaponeM CIVIXL Hie loutifig 
poliqrGoizipriaea of two innportnilea IFl 
ERl. 

The iaiporttuka for she ClSl an piaftrai^ 
^ 10 IFl {0| 0, ClSl, 0| 0, 0^ -> imeot; /* no routes ftom aolf (defimH) •/ 

O IF2 {0, CI VlXlTs, 0, 0, 0, 0} -> Aooept; hnpart loutes ftom apoka •/ 

^ ThaQi^>onnileaforaitoClSl anprefie^ 

y ELI {0. 0, 0, 0, 0, 0) ^ Aooept with {ClVlXlD, ClVlXlIli, C181, ClVl. 0>; /♦ export 

OQ loutastofaubV 

3 W HBLl {0.0^0,0,0,0} ^llBjeot;/*donot«adwrtiae*/ 

^ FIDURB 6B ahowB fba addhioa of aitea C1S2» 0133, and C1S3 aa 8p<)kM of VPN onnpoiaeitt 

< ClVIXl. Thetoutfa^poUoy fbTCftOhaftbentaacanipiu 

I— asqMrtnileBLl; and one ranotecoq^ tula Bill. 

^ TisBfa!q)ortxu]efifor^ClSaaioprefind>lyQ)6^ 

QQ 20 IFl {0, 0, 0182, 0, 0, 0} -> R^eot; lioroutea fiom aatf (da&ult) V 

IF2 {0, ClVlXlTh, 0, 0, 0, 0} -> Aopopt; /♦ IxnportroutBa ftom hub 

The ejcport rules for site C1S2 are praftRibly apeoiQed aa 

ELI {0, 0. 0, 0. 0, 0) ^ Aceapt with (ClVlXlD. ClVlXlTa, C1S2, ClVl, =, 0); /* export 
mutes to apoka*/ 
25 ERl {0, 0, 0. 0, 0, 0} •>Rfi3eot; donotreadrertiaa V 

The loqiort xulea for site G1S3 are preferably apeoifiBd as 
IFl {0, 0, C1S3, 0, 0, 0} -> Rqeet; zioroufcaa ftom self (de&ult) •/ 
IF2 {0, CI VlXlTh, 0^ 0, 0, 0} ^ Aooept; /* nzqiort routes fiom hub 
The export rulea for ate C1S3 ate preferably specified aa 
30 ELI {0,0,0,0,0,0} -> Acoept wzfii {CIVIXID, ClVlXlTa, C1S3^ ClVl, 0); /* enport nmtes 

to spoke*/ 

ERl {0, 0, 0, 0, 0, 0} -> Reject;/* do not readvertlse */ 
The hzqwt njtea for ate C1S4 are preferably Q>eol^ 
IFl (0, 0, C1S4, 0, 0^ 0} ^ Rqjeot;/* flonwteaflom aelf (de&ult) V 
35 m {0,ClVlXlTh,0,0,0,0}->Aooq)t;/* import routes fhimlmb"^^ 

The eoportrulea for sto C1S4 are prefefaWy apeoified as 



14 



PAGE 23ri40'RCVDATSI10/20084:33:10PM [Eastern DayG^^ 



Rug 10 2006 3:47Ph HP IPttGROUP 



2815148332 



p«24 



WO02A»9571 PCrAJS02/17056 

BLl {0. 0. 0. 0, 0, 0} -> MqcpH ^ {CIVIXID. ClVlxm, C184^ ClVli ^, 0}; /• export 
rontea to spoke V 

ERl {Op 0«0,0,0»0}-> Reject /*doxU)txeody^^ 

FIOUBB 6C shows the oreattcm of mcBh VFN corDpoofliit C1V1X2 and tbe addition of ahe ClSl 
5 as a nexxiber of mBA VFN oomponaat CI V1X2» Appropdate Identifiora, such; aa Route Distingulsha' 
CIVIXZD aad Soute Targets 01 VtXZnn and 01 Vixm an attooated fbr fhe! coiiq3onieiit. Meah VPN 
QOtopmaA CI V1X2 oidy uaea a siqgk Route Taiget CI VlX2Ttai. However, Boiite Tbiyst CIVIXZA ia 
alflo allooated in caae the Goavoncot ia changed fiom a medi VFN ooaq>oitetrt to a hub-qtoloe VFN 
oon^onent. 

^ 10 Ilietootbvpolic^itarflieadditionof abeClSl toRieah VFNoo^ 

^ tl«,impartna«m.IF2«ndIF3:twolccaIowtna«ELl«id^^ 
Q TheinqMTtnjdeafbrsteClSl arepieffai^ 

yj Wl {0, 0, ClSl. 0, 0. 0} -> Bjqect; /* no routea from aelf (definilt) V 

^ IF2 (0, CIVIXITB, 0, Op 0, 0) -> Awept; Import foutea ftomXl sp^ka ♦/ 

<^ IS IF3 (0, 01 VlXSTin, 0^0.0} ^AiMq3i;/^ifl9ortroi!te 

— The eqmt rules an preferably spooifiodaa j 

> ELI {Ofififlfifi} c> Aooept widx {CIVIXID. ClVlXlTlu ClSl. Clvi, ^ 0}; export loutee 

^ tohifl)*/ 

Bt2 (0 AO AOiO} •> Aooept wltb {C1V1XZD« CIVlXZTte» ClSl, ClVl, 0); /* export routea 
yj 20 1oX2.meah«/ 



GO 



E&l {0,0,0,0,0,0} *> Kejeot; /• do not readvcrtiae */ 

FIGURE 6D BhowB tiie addxtion of aite CISS ea a member of mcstx VPN coaqxmcnt CIV1X2. 
The xmtinff poli^ for the addstian of eitc C1S5 to meah VFN oomponent C1V1X2 oonqiBiaea of 
inqxxrt ndea IPX and IP2; one local eiq^ nde ELI; and one ren^ 
25 llieiniportiiilea&raita CISS arc prefibrd>lyq)6alfl 

IFl {Q, 0, C1S5, 0> 0, 0} -> Refect /* no routea fiom aelf(de&ult} V 

IF2 {0, CIVlX2Ite, OAOfO) -> Aceept; inqioKt nndea ftomXl zneah «>/ 

The escpoctnitca ate preliBrably apeoified aa 

ELI {OAOpO AO) -> Accept ivlfh {C1V1X2D, ClVlXSTtn, CISS, ClVl, 0>; export routea 
30 toX2 incah*/ 

ERl (OAOiOlO.O} ■> Rejeot; do not raadvertlse V 

In Boma caBoa it may be deairable to oreate routing poliqy to ahaxe routaa between diflbient VFN 
GonqKmBQta of a VFN, fbr exaoqple VFN ooraponents CIVIXI and C1V1X2 of VFN ClVl. Since site 
ClSl ia a tnember of bodi VPN eotxgxHiflnti ClVlXl and CI V1X2, one or tarn tales of sto ClSl (as 
35 diown above wflh refbreooe to FIOfURE 6C) may be modi&d to allow ahadng of routea h^woeo 
difiBsront oon]ponenta> In the prefozed embodiments flio remote export xulea are loodified* 
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TbuB^prBfrnnbly flie following remoite cRpottnite is delated: 
ERl {0, 0. 0» 0, 0, 0) ->RB|eo^ donot mdvertbe */. 
The fbllowlng raniotB s}q}Oit rules are added: 

EEU {0,0,0,0,0»PB«C181} ->RQ*eot;/^ do fUKadvecttee if site's PjSiflBlr^ 

5 */ 

ER2 {0, CIVIXITb. 0, 0, 0, 0) Accept wi£h {ClVlX2Dp ClVlX2Tm, «, P&CISI); /* 
Reflect XI nyutc» iotD X2 ttwU^ 

ER3 {0. ClVlXOTm, 0, 0, Op 0} -> Aooept wlih {CIVIXID, ClVlXIth, % ^, «, PB^JISI); /• 
Reflect X2 louiaB Into XI inaddhg the gito'B local 
10 ]h some oases^ it may be deaizablo to cbaioge Ibe routlDg poUey bo fhst ihe dififamt canvooBalB 

of a VFN SUV ^ longiBr diara rotttea. for exaiqple VFN componciita ClVlXjl and C1V1X2 of VPN 
ClYL Sinoo aite ClSl ia a xnember of both VPN cowproents CIVIXI and CiyiX2. one or move nilCB 
O of site Ciai (as diown above with nferetifie to FIGURE SC) may be niodifled to prevent ahariog of 

nmtes between fiie different eonqianente. &i the pte f cacd eolbodiinfin^ ibe iramote export tulea m 
_ 15 modified. 
^ lbiu,pzcfenib1y1))efidUowingnmDteffiq)G^ 

^ ERl {0,OpO,0,0»PE<:iSl) '>R<!|eet;/*donotBdvffi1i8elfthosite*aPk 

§ ./ 

< ER2 {0, ClVlXll^ 0, 0. 0, 0) -> Aooept with {C1V1X2D, ClVlXZHOp ^ =, PB<:iSl}; /• 

H 20 Reflect XI rmitn joXoXI oaridttg fbe alters looalPB as Use next hop */ 

l3 ER3 {0. ClVlXZIta. 0, 0, 0, 0> -> Accept wiOi {CIVIXID. ClVlXlTh, -v »p PE.C181}; /♦ 

Reflect X2 routBB into XI moildtig Hid Bite's local PE ae the noct bop */ 
lie foUowing remote eocport rule is added: 
ERI {0» 0. 0» 0, Qp 0} •>itDjeat;/*donotrDadvarti86'*/ 
25 Thna, in the preftarod embodioMint; MCS 201 capturea the intent of the provistooiog operatcr as 

grepiUoally eocpreased flmm^ fiie naer Interfiwe and automatioaUy tranalateB tt to provide topology 
oonstrataed routing policy provlalooln^ 

While the invention has been particularly shown and described by the foic g otog detailed 
deaorqyttcn, itwiUbeunderatoodby tboae skilled in die art tlifltvarioua other dkaogeB in fbnn and ddaU 
30 may be made wftfcout dapartii^ from fiie spirit and soope of the invention. 
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1, A malfaod fbr provldoDlng routlag policy of a plundity of bx^ of a Virtual Stivate 
Netwofk (VFN)« compriaingi 

Qubling grqdiic&Ily defining ofxebtiojuiUpsbecwem aaidptu^ of sites of said VFN; and 
S Butomatically acnaradng at least one routing rule fbr eaoli site of said viPN based at least in part 

an said dafinfidteladonshlp. 



2. The meOiod of dalm 1, mtieran automatioally g^oaradng at least coo routiog rule 
oompcises: 

10 autonnticallygeiteraling at least ooeii^ 

auftoinBti0Blly geaiBrating at least one local co^^ 
automatically generating at least one icmote co^xut xide. 



3» The method of otelm U therein autnmatloaUy generating at 14ast one toutiz^ rule for 



O is each site cozoprises generating an import rule ftnr discarding route InfnmJtioQ reoohned from the 

UJ respective fltt& 

QQ 

^ 4, Tbe mefhod of claim 1, ^vfaonein automatloatty genemttog $i least one xonting rule 

^ conqiriaesgeaenrtiii^^toBsitBofaaldphUBlityofaUesa 
^ 20 teq^onsetossldsitebeingaitteaiberofamediVP^ 
J of sltosiwUdhisaizienAerof saidmediVFN 

0) 

^ S. Tbe method of claim 1, ^rfierein aiitomotioally generating at least one routing rule 

con^sQS g en CTtttlP R fbr a site of saidphnality of sites, an import rule for accepting route faifonaation, in 
25 xcspabse to said site being a faiib of a hub^oko VFN oonponea^ tooeived fiiom any site of said pluraU^ 
of sites Vfloslh is a member of saidlnib-fipOko Vm componeot 



6, The mefliod of claim 1, wheteta auiotnatlcd^ geneiaiiqg at least one routing rule 
oompriseB geneiatiiiA £n a sits of said plundity of aitea^ an ifl 

30 xeflponse to said site being a spoke of a bnb-epoke VFN- oonqKxneni; leomvcd from at^ site of said 
pluzahty of sitea wbldi is a lnd> of said bub-spidm VFN convoy 

7. Tbe medwd of ofadm 1* wberein automatically generating at least one zouting rule 
conqvises automatically generating at least one local esqxut rule, wherein the number of local egqiort 

3S lules generatsd is at least equsl to tbe nuniber of VFN eomponents of said VFN itmk tfaetespectivo site is 
amamber oft 
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8. The swfiiod of daim 1, whoda autmatioallr ganmrtjng at least one routfog rale 

compriaM; 

genetatbig, fbr a site of said pluraUly of aitaa mxeaponBe to aald aite being a vatnber of a meah 
VPN ooiqponaiit, a local c3q)oit nde ftir 

aooeptmg routes ftom a Ptovidar Edgo-Cufitomflr Edge (PE-CE^ toutiliig protoool; 

assodatlag toutt inftymatloa of said VPN to said aooeptod routed and 

advordaing add aocaptBdxotttes and aaid route infib^ of aaidnwah 

VENf 



10 9. Hie me&od of claim 1« ^^dmein antonrntirffilly gaierating af least one loating iuIb 

s» composes: 

^ gB&Gffitin& text a site ef said phoality of sites in respoose to said site be^ a hub of a bub^fiq>o]ce 

^ YPNcan,«a«t.alocia««p«truIe&r: 

Uj accepting toulea flom a Ptovlder Bdge<<:!a8tnmer Edge (PB^CE) ifouttng protoool; 

IS aasoeiatiflg route infonmrtion of 

advBrtiaiDg aaid acceptad nnitea and asidcoute ittfofinaiion to ajll mcndiBni of aatdbulv 
q^okc VPN oomponent. 

I 

^ 10. The meSiod of claim h ^vherein antomatioally genimtiag ai least one itmtiiig nile 

^ 20 ovnprlfiea: 

LU gezieiatiiigtfbraszteofsaidpturali^ofsitBSXDxeqKX^ 
CD 

VPN conqKmen.^ a local osqxirt Tule fon 

secqitiog routes ftom a Provider BdgeOostomflr Edge (PE-CE) routiflg protocol^ 
assooiatmg route ipfennBtico of aaid VPN to said aocuptad iQutsa; and 
29 adveitisiDS said aoeqpted routes and said route ialbdnation to ail nmibers of aaid hxilv 

apcike VPN oomponenL 



11. The method of claini U ^Aerefn automalioany generatmg at least one routing nde 

cikiupnseB: 

30 genentta^ Ibr a site of seMpIurali^ of sites in lesponse to said atte bcmg amende 

comp<ment» a phnality of local expon rules fim 

accepting routes ftom a PAivider Edge-Custonwr Edge (FBCQ routing protocol; 

associating act least two aets of route infoncation of said VPN to 

advertisfng said aoeeptsd routes and eald route tefbrnul^ 
3S VPKoonqiaaGnt 
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12. Hie msi&iQd of dbim 1» ^vbeireiD autmnaticany geo^atlng at least otie routing tule for 
eaoli site oonvrlasB ganflradng a lemote oxpoitrule fiir sot adverUsiiig route infbjazwtion reoeiYsd fiom a 
site which is a1Ilen^be^ of a VPN oonqxi^^ 

5 13. Hie method of claim 1. wherdn autOAvitloally generating at l^ast one routing rule fac 

eacta sitp ooQ^Ttlaes gaietratiiig» ibra site of and plmalit^of sites in raponso te iaid site being amoinber 
of at bast two VPN oomponenta^ a remote eaqport rale finr advcrttsing toute infittmatiDa ncerved fiooi a 
site wtaicb is a menAer of a fiist VFN con^^ 
whioh is not a laeniiber of saM first VFN ooniionent 

14. The method of olaim U AxOier fiongnising storing said at leajst one touting rule in a 
database. 

15. A G^ystem for pioviaioafaig routing policy of a plurality of s^ of a Virtual Private 
Network (VFN)^ oonq^Biiig: 

a graphical nag toterfaoe, oomprralng; 

a display area graphically dlpplagdng at least ooo VPN camponei^ of said VFM; atzd 
a customer area displaying saldplinndily of silMii at least one pf said phizaUty of sites 
opeanbletobedmBCdftomsaideufltoniflrsreatD said diapli^ area, whietein droppii« of saU 
leset one site on a graphical xeprsseiilBtlon of said at least one VPN "h™r™g"* causes said at 
least one site to be disxilayed in said diqday aiea and to become 4 raeiribar of said VPN 
conzponenti 

16. The system of olalm 15» finther c<m]pris3ng means Ibr automadDalfy genetBfcing at least 
one routing rule Ar caoh site of said plurality of sites based at least in part on a mambarBfajp of said 
respeoUvaaite. 

17. The system of claim 16^ flirfher oos^rlaiqg means fbr distributing said reapectivE 
genamtsd rooting nde to a respeeiive one of said plntali^ 

18. The fiyatem of olaim 17» finther conqnrising means for ptooessingp hy each site, route 
inibraiBtion received from said plucaUty of sites based at least in part on said at least one routing rule 
generated fbr said respective site. 

35 19. The Qfstem of claim 18. fiinfaor conqiriaing means fbr estfliblidiing touting rdationa 

between said pluraliiy of BttM based at least in part on aaid prooesaed 
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20, Ute system of claim 15» fbrtiier oonvtiBiDg a dalabaae operable to atoio said at least one 
roudognde. 

21, A jnetfaod £ar provialotung louJang poUoy of a plurality of ei^ea of a Viztual Frrvata 
5 Network (VPN), oomprlatog: 

graphically diaplaying at leaal one V7N cmu yu u ea t of said WS; 

eoablbg dragging of a ttpdreaeatation of at laaat one alfe of said plirnli^ of aitea towaida aaid at 
leaat one VPN conyaiieol; 

i 

0Qat)lfngdtoi3piQgof saidxqm^^ site oaadd^vpiresentatlmafflBidat 

10 leaatoneVFNootiipOMmthedrebyoaiufa^ 

aotamatloally generating at leaat one Touting tide for each aite of aaid pjmlily of eitea baaed at 
leaat in part on a mernbezBhlp of aaid reapecti'fc atte* 

i 

22, The mathod of claim 21, fliEthBr GOODprieing staring wad at one tottting rule and 

^ 15 routs xn&nnation receive fiom aaid tdur^ 
Q. 

O 

O 23. The metfaod of daim22p )0dietein saidi^^ 

UJ in&nnatiimitmadootedfiomlliegraupooQaiat^ 

QQ a Site of Qrigfai 05OO). a VFN ID, an bteniet Protocol vmnon 4 CIPv4)i Peaflx, end Noct lOof 

^ 20 XafisinatioaCNH). 

i 

^ 24v The txiediodof olstm22^TvbflreinBaidi»utoin£bn^ 

l_ {RD. RT, SOO, VFMJD. IPv4 Prefix. NH), vAmm KD denotes a kouta Dlstinguisher, RT 

CjO danotea a Rjoute Target; SOO denotes a Site of QHgin, VPNJD> denotes a VPK ID, IPv4 Prefix denotea 

£Q 25 anbternetProtood vmion4pre(flx,andNHdaaa(BaNBxtHi^ 

25* The mediod of claim 24, ^rtieiein antomadcany g eue i aUa g at least one iDottng role 
coQfmes gcsieratxng a loudqg rule for diacaiding route infbr aia t i o tt rcodTOd ftom aite al, aaid routing 
fide being denoted aa 
30 maak {0, 0» U Oi 0» 0). vahiefO, 0, al, 0^ 0, 0), action-xqjeot 

26. Tbc method of claim 24, wl^eln automstically geneiatnig at least one Touting tuIc 
conttfiaes generating a touting rule fbr aecqpting route tnfbrmation comprifiing a qwcificd Routs Tbrget 
rtl, said second routing rule helng denoted as 
35 maak {0» 1, 0, 0, 0. Oh VBlue{0, itl, 0, 0, 0, 0}» aotton »pennh. 
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27. 11i0 rnediDd of cdaim 24» ^riurafai mimfnaitfftfllly gmemtfaig ajt least one fouimg mle 
oosfiriscs; 

antoaiBtioaQy geoetstixis At least on» lood expon tdc and 
least cos looal eoqxnt lule Bod 8d4 ftt least xemotB export nde brt^g gen^ 
S mask {Ol 1, Ol 1, 0| 1, ol 1, 32 bit mask fbr IFv4 Fieflx, o| 1), Value {% *. *. aotlon =■ 

ndeoti aooept wllh (RD, BT, SOO, VPN_ID, - , NH}. 



O 
O 
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